Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix KerberosAuthenticator serverPrincipal host replacement (#5766)

This commit is contained in:
Jonathan Wei 2018-05-09 22:34:49 -07:00 committed by Nishant Bangarwa
parent e8caf02147
commit 7a1faa332f
1 changed files with 20 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
extensions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosAuthenticator.java
View File

@ -127,13 +127,19 @@ public class KerberosAuthenticator implements Authenticator
) )
{ {
this.node = node; this.node = node;
this.serverPrincipal = serverPrincipal;
this.serverKeytab = serverKeytab; this.serverKeytab = serverKeytab;
this.authToLocal = authToLocal == null ? "DEFAULT" : authToLocal; this.authToLocal = authToLocal == null ? "DEFAULT" : authToLocal;
this.excludedPaths = excludedPaths == null ? DEFAULT_EXCLUDED_PATHS : excludedPaths; this.excludedPaths = excludedPaths == null ? DEFAULT_EXCLUDED_PATHS : excludedPaths;
this.cookieSignatureSecret = cookieSignatureSecret; this.cookieSignatureSecret = cookieSignatureSecret;
this.authorizerName = authorizerName; this.authorizerName = authorizerName;
this.name = Preconditions.checkNotNull(name); this.name = Preconditions.checkNotNull(name);
try {
this.serverPrincipal = SecurityUtil.getServerPrincipal(serverPrincipal, node.getHost());
}
catch (Exception e) {
throw new RuntimeException(e);
}
} }
@Override @Override
@ -422,20 +428,12 @@ public class KerberosAuthenticator implements Authenticator
public Map<String, String> getInitParameters() public Map<String, String> getInitParameters()
{ {
Map<String, String> params = new HashMap<String, String>(); Map<String, String> params = new HashMap<String, String>();
try { params.put("kerberos.principal", serverPrincipal);
params.put( params.put("kerberos.keytab", serverKeytab);
"kerberos.principal", params.put(AuthenticationFilter.AUTH_TYPE, DruidKerberosAuthenticationHandler.class.getName());
SecurityUtil.getServerPrincipal(serverPrincipal, node.getHost()) params.put("kerberos.name.rules", authToLocal);
); if (cookieSignatureSecret != null) {
params.put("kerberos.keytab", serverKeytab); params.put("signature.secret", cookieSignatureSecret);
params.put(AuthenticationFilter.AUTH_TYPE, DruidKerberosAuthenticationHandler.class.getName());
params.put("kerberos.name.rules", authToLocal);
if (cookieSignatureSecret != null) {
params.put("signature.secret", cookieSignatureSecret);
}
}
catch (IOException e) {
Throwables.propagate(e);
} }
return params; return params;
} }
@ -583,8 +581,8 @@ public class KerberosAuthenticator implements Authenticator
for (Object cred : serverCreds) { for (Object cred : serverCreds) {
if (cred instanceof KeyTab) { if (cred instanceof KeyTab) {
KeyTab serverKeyTab = (KeyTab) cred; KeyTab serverKeyTab = (KeyTab) cred;
KerberosPrincipal serverPrincipal = new KerberosPrincipal(this.serverPrincipal); KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(serverPrincipal);
KerberosKey[] serverKeys = serverKeyTab.getKeys(serverPrincipal); KerberosKey[] serverKeys = serverKeyTab.getKeys(kerberosPrincipal);
for (KerberosKey key : serverKeys) { for (KerberosKey key : serverKeys) {
if (key.getKeyType() == eType) { if (key.getKeyType() == eType) {
finalKey = new EncryptionKey(key.getKeyType(), key.getEncoded()); finalKey = new EncryptionKey(key.getKeyType(), key.getEncoded());
@ -623,12 +621,10 @@ public class KerberosAuthenticator implements Authenticator
private void initializeKerberosLogin() throws ServletException private void initializeKerberosLogin() throws ServletException
{ {
String principal;
String keytab; String keytab;
try { try {
principal = SecurityUtil.getServerPrincipal(serverPrincipal, node.getHost()); if (serverPrincipal == null || serverPrincipal.trim().length() == 0) {
if (principal == null || principal.trim().length() == 0) {
throw new ServletException("Principal not defined in configuration"); throw new ServletException("Principal not defined in configuration");
} }
keytab = serverKeytab; keytab = serverKeytab;
@ -640,16 +636,16 @@ public class KerberosAuthenticator implements Authenticator
} }
Set<Principal> principals = new HashSet<Principal>(); Set<Principal> principals = new HashSet<Principal>();
principals.add(new KerberosPrincipal(principal)); principals.add(new KerberosPrincipal(serverPrincipal));
Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>());
DruidKerberosConfiguration kerberosConfiguration = new DruidKerberosConfiguration(keytab, principal); DruidKerberosConfiguration kerberosConfiguration = new DruidKerberosConfiguration(keytab, serverPrincipal);
log.info("Login using keytab " + keytab + ", for principal " + principal); log.info("Login using keytab " + keytab + ", for principal " + serverPrincipal);
loginContext = new LoginContext("", subject, null, kerberosConfiguration); loginContext = new LoginContext("", subject, null, kerberosConfiguration);
loginContext.login(); loginContext.login();
log.info("Initialized, principal %s from keytab %s", principal, keytab); log.info("Initialized, principal %s from keytab %s", serverPrincipal, keytab);
} }
catch (Exception ex) { catch (Exception ex) {
throw new ServletException(ex); throw new ServletException(ex);